You don't need to populate all those fields in an AKI extension (just the key_identifier is sufficient). The authority_cert_issuer is a list of GeneralName objects. This is typically derived from the Name, but a Name is actually a list of RelativeDistinguishedName objects, each of which can contain 1 to n GeneralName objects. In the common case each RDN contains just one GeneralName so you can just extract them to make the list of GeneralName objects. However, you probably just don't want to set values for the last two fields.
-Paul (reaperhulk) On September 30, 2017 at 4:48:35 AM, Julian Meyer (jul...@meyer-privat.com) wrote: Hi, I woud like to sign a certificate with my internal intermediate (CA) certificate and add the AuthorityKeyIdentifier Extension with authority_cert_issuer and authority_cert_serial_number. Only key_identifier work, but with authority_cert_issuer and authority_cert_serial_number I get this error: authority_cert_issuer must be a list of GeneralName objects I try to use the subject of the public certificate of my intermediate certificate. The Code looks like this: builder = builder.add_extension( x509.AuthorityKeyIdentifier( x509.AuthorityKeyIdentifier.from_issuer_public_key(caCert.cert.public_key()), caCert.cert.subject, caCert.cert.serial, ), critical=False, ) In caCert.cert I have loaded the public certificate of my Intermediate CA. In caCert.key is my private key, witch I use to sign it. How can I generate authority_cert_issuer and authority_cert_serial_number from the CAs public certificate? I`m just a hoby programmer and not a pro, so it would be very nice, if someone can help me with this issue. Kind regards Julian _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
